Creating and Managing User Accounts

By default, the tenancy has an administrative user in an administrators group, and a policy enables the administrators group to manage the tenancy. To limit a user to managing only a subset of resources in the tenancy or another compartment, or to have less than full management access to some resources, create a user account, add the user account to one or more groups, and create one or more policies for those groups.

A user account is not automatically a member of any group. A user that is not a member of any group is visible in the tenancy but does not have access to any resources.

For conceptual information about user accounts and groups, see the Identity and Access Management Overview in the Oracle Private Cloud Appliance Concepts Guide.

Creating a User

When you create a user, the user is automatically created in the tenancy. You cannot specify a different compartment for the user.

Using the Compute Web UI

In the navigation menu, click Identity, and then click Users.
Click the Create User button.
In the Create User dialog, enter the following information:
- Name: A name for this user account. User names have the following characteristics:
  - Must be unique within the tenancy. You can create a user with the same name as a user that has been deleted.
  - Are case insensitive.
  - Cannot be changed later.
  - Must be at least two and no more than 100 characters.
  - Can contain only alphanumeric characters, period (.), hyphen (-), underscore (_), plus sign (+), and at sign (@).
- Description: A description for this user, such as the full name of the person or a brief description of the account. The description has the following characteristics:
  - Must be 1-400 characters.
  - Does not need to be unique.
  - Can be changed later.
- Email Address: (Optional) The email address for the user. Can be updated later.
- Password: (Optional) To enable this user to log in to the Compute Web UI, check the box labeled "Generate a temporary password for this user."
  
  You can provide a password later. See Providing a Temporary Compute Web UI Password.
  
  Note:
  
  Passwords for federated users are not managed through this service. See information from your federated identity provider.
- Tagging: (Optional) Add defined or free-form tags for this user account as described in Adding Tags at Resource Creation. Tags can also be applied later.
Click the Create User button on the Create User dialog.

If you checked the box labeled "Generate a temporary password for this user," a Temporary Password for New User dialog pops up, showing the temporary password. You cannot retrieve this password again after you close this dialog. Copy the temporary password, save the password to a safe place for delivery to the user, and click the "I have made a note of the password" button.

The details page of the new user is displayed.

Next steps:
- Provide the user with a temporary password so that the user can set their own permanent Compute Web UI password.
  - If you checked the box labeled "Generate a temporary password for this user," provide the temporary password that you copied from the Temporary Password for New User dialog.
  - If you did not check the box labeled "Generate a temporary password for this user," or did not save that password, follow the instructions in Providing a Temporary Compute Web UI Password to generate a temporary password for the user.
- Add this user to at least one group. See Adding a User to a Group by Updating the User.
- If the user wants to use the OCI CLI, see Installing the OCI CLI.

Using the OCI CLI

Get the following information:
- A name and description for the user. See the Compute Web UI procedure for parameters. In the OCI CLI, a description must be provided but its value can be an empty string.
- (Optional) The OCID of the tenancy for the user. By default, the root compartment OCID from the config file is used.
Run the user create command.

Syntax:
```
oci iam user create --name text --description text
```
See the Compute Web UI procedure for characteristics of the name and description values. See Adding Tags at Resource Creation to add defined and free-form tags.

Example:
```
$ oci iam user create --name flast --description "First Last" --email first.last@example.com
```
The output of this command is the same as the output of the user get command.

Next steps:
- Provide the user with a temporary password so that the user can set their own permanent Compute Web UI password. See Providing a Temporary Compute Web UI Password.
- Add this user to at least one group. See Adding a User to a Group by Updating the User.
- If the user wants to use the OCI CLI, see Installing the OCI CLI.

Providing a Temporary Compute Web UI Password

Perform this procedure for new users and for users who forget their password. This procedure generates a temporary one-time password. When the user signs in using this password, the user is required to change the password before proceeding. The generated temporary password expires after seven (7) days.

A tenancy administrator can provide a temporary password for any user. Users must set their own permanent passwords by following the instructions in Setting Your Own Compute Web UI Password.

Note:

Passwords for federated users are not managed through the IAM service. See information from your federated identity provider.

Using the Compute Web UI

In the navigation menu, click Identity, and then click Users.

If the user that needs a new password is in the Inactive state, see Unlocking a User.
For the user that needs a new password, click the Actions menu, and click the Change Password option.
In the Change Password dialog, click the Create Temporary Password button.

A Password Changed dialog pops up. The New Password field contains the temporary password.
Copy and save this temporary password.

You cannot retrieve this password again after you close this dialog. Copy the temporary password, and save the password to a safe place for delivery to the user.
Click the Close button on the dialog.
Deliver this temporary one-time password to the user. The user must follow the rules stated in Setting Your Own Compute Web UI Password when setting their new password.

Using the OCI CLI

Get the OCID of the user that needs a password (oci iam user list).
Confirm that the user is active.

If the lifecycle-state of the user is INACTIVE, see Unlocking a User.

Run the command to create or reset the Compute Web UI password for the user.

Example:

$ oci iam user ui-password create-or-reset --user-id ocid1.user.unique_ID
{
  "data": {
    "inactive-status": null,
    "lifecycle-state": "ACTIVE",
    "password": "N59%fP9uTq6\\",
    "time-created": "2021-10-13T22:10:49.290000+00:00",
    "user-id": "ocid1.user.unique_ID"
  }
}

Copy the password value from the command output and deliver this temporary one-time password to the user. The user must follow the rules stated in Setting Your Own Compute Web UI Password when setting their new password.

Setting Your Own Compute Web UI Password

Users do not require an access policy to set or change their own Compute Web UI password.

Setting Your Password

Use this procedure to set your Compute Web UI password initially, or to reset your password if you forgot your password.

Using the Compute Web UI

Get the temporary password that was generated for you.
On the login screen for the Compute Web UI, enter your user name.
Enter the temporary password.

A dialog pops up that says your password has expired and you need to create a new password.
Click the Change my password button.
On the Change My Password screen, enter the temporary password in the Current Password field.
Enter a new password in the New Password field and again in the Confirm New Password field.

Passwords must be at least 12 characters in length and contain at least one of each of the following: uppercase character, lowercase character, number, and symbol.
Click the Save Changes button.

A dialog pops up that says your password has been successfully updated.
Click the Continue button.
Log in using your new password.

Changing Your Password

Use this procedure to change your Compute Web UI password while your current password still works.

Using the Compute Web UI

In the top right corner of the Compute Web UI, click your user menu.
Click Change My Password.
On the Change My Password screen, enter your current password in the Current Password field.
Enter a new password in the New Password field and again in the Confirm New Password field.

Passwords must be at least 12 characters in length and contain at least one of each of the following: uppercase character, lowercase character, number, and symbol.
Click the Save Changes button.

A dialog pops up that says your password has been successfully updated.
Click the Continue button.

Viewing User Information and Group Membership

Using the Compute Web UI

In the navigation menu, click Identity, and then click Users.

The Users page shows all users of the tenancy because user accounts cannot be in different compartments. All users are in the tenancy.
Click the name of the user for which you want more information.
On the details page for that user account, scroll down to the Resources section.
Click the Groups resource.

The list of groups where this user is a member is shown.
To see the full list of members of a group, click the name of the group in the Groups list.

Scroll down to the Resources section for that group and click Group Members.

Using the OCI CLI

Get the OCID of the user account for which you want the list of groups (oci iam user list).
Run the list groups command.

Syntax:
```
oci iam user list-groups --user-id user_OCID
```
The output of the list-groups command is the same as the output of the group get command for each group where this user is a member.

The user get command does not show group membership.

Adding a User to a Group by Updating the User

A user must be a member of at least one group in order to have access to any resources.

Using the Compute Web UI

As an alternative to using the Users Compute Web UI page, you can use the Groups page as described in Adding a User to a Group by Updating the Group.

In the navigation menu, click Identity, and then click Users.
Click the name of the user that you want to add to a group.
On the details page, scroll down to the Resources section and click Groups.
At the top of the Groups list, click the Add User to Group button.
In the Add User to Group dialog, select a group from the drop-down list, and then click the OK button.

The selected group is added to the user's Groups list.

Using the OCI CLI

For the OCI CLI procedure, see Adding a User to a Group by Updating the Group.
Use the user list-groups command to show the groups where this user is a member. The output of the user list-groups command is the same as the output of the group get command for each group where this user is a member.

Removing a User from a Group by Updating the User

If you remove a user from all groups, the user will not have access to any resources.

Using the Compute Web UI

As an alternative to using the Users Compute Web UI page, you can use the Groups page as described in Removing a User from a Group by Updating the Group.

In the navigation menu, click Identity, and then click Users.
Click the name of the user that you want to remove from a group.
Scroll to the Resources section and click Groups.
For the group from which you want to remove the user, click the Actions menu, and click the Remove from Group option.

The selected group is removed from the user's Groups list.

Using the OCI CLI

For the OCI CLI procedure, see Removing a User from a Group by Updating the Group.
Use the user list-groups command to show the groups where this user is a member. The output of the user list-groups command is the same as the output of the group get command for each group where this user is a member.

Modifying a User

You can change a user account's description and email address. You can add, change, or remove tags as described in Applying Tags to an Existing Resource.

Using the Compute Web UI

In the navigation menu, click Identity, and then click Users.
For the user account that you want to modify, click the Actions menu, and click the Edit option.
In the Edit username dialog, modify the account's description, email address, or tags.
Click Save Changes.

Using the OCI CLI

Get the OCID of the user account that you want to modify (oci iam user list).

Run the user update command.

Syntax:

oci iam user update --user-id user_OCID [ --description desc ] \
[ --email email ] [ --defined-tags tags ] [ --freeform-tags tags ]

The output of this command is the same as the output of the user get command.

Unlocking a User

This procedure unlocks a user that is in the Inactive state. A user might be in the Inactive state after too many incorrect login attempts.

Using the Compute Web UI

In the navigation menu, click Identity, and then click Users.
For the user account that you want to unlock, click the Actions menu, and click the Unblock option.

The user transitions from the Inactive state to the Active state.

Using the OCI CLI

Get the OCID of the user account that you want to unlock (oci iam user list).

Confirm that the lifecycle-state of the user is INACTIVE.
Run the update user state command.

Syntax:
```
$ oci iam user update-user-state --user-id ocid1.user.unique_ID \
--blocked false
```
Use the user get command to confirm that the lifecycle-state of the user is ACTIVE.

Deleting a User

You cannot delete a user if the user is a member of any group. You cannot delete your own user.

When you delete a user, all API keys associated with that user account are also deleted.

Using the Compute Web UI

In the navigation menu, click Identity, and then click Users.
Click the name of the user that you want to delete.
Ensure that the user is not a member of any group.

On the user details page, scroll down to the Resources section and click Groups. To remove this user from a group, click the Actions menu for the group in the Groups list, and click the Remove from Group option.
At the top of the user details page, click the Delete button.
On the Delete User confirmation dialog, click the Confirm button.

Using the OCI CLI

Get the OCID of the user account that you want to delete (oci iam user list).
Use the user list-groups command to ensure that the user is not a member of any group.

Run the user delete command.

Syntax:

oci iam user delete --user-id user_OCID

Example:

$ oci iam user delete --user-id ocid1.user.unique_ID
Are you sure you want to delete this resource? [y/N]: y

To delete a user without confirmation, use the --force option.